1. Field of the Invention
This invention relates to the field of data processing systems. More particularly, this invention relates to the detection of malware, such as computer viruses, Trojans, worms and the like, carried by e-mail messages.
2. Description of the Prior Art
It is becoming increasingly common for items of malware to be propagated within or attached to an e-mail message. Such malware can spread rapidly and be highly destructive. Some forms of malware which are particularly rapidly spreading are self-propagating whereby when a computer is infected with the malware the malware operates to e-mail itself to one or more other computers which it may then also infect.
The destructive effects and large economic costs associated with malware outbreaks are such that measures which can reduce the spread of malware or the effect of malware outbreaks are highly advantageous.
It is a characteristic of malware outbreaks that when a new item of malware is released into the wild, the existing malware scanners are often unable to detect, or inefficient at detecting, the new item of malware. The virus definition data typically used to detect malware efficiently is necessarily one step behind the release of new items of malware since when these have been released, they must be identified to find suitable characteristics within them which can then be added to the virus definition data and searched for by a malware scanner to efficiently identify the new item of malware. The process of obtaining reports of a new item of malware, analysing the thread posed by the new item of malware, deciding to issue an emergency virus definition data update, generating the updated virus definition data and distributing the updated virus definition data to customers takes a finite amount of time. During this time, the new item of malware may be rapidly spreading and causing significant harm to computer systems. It might be thought that one way of shortening this time before the counter-measures were available would be to forego analysing the severity of the threat posed by a new item of malware and immediately press ahead with generating new virus definition data in all cases. However, this has the disadvantage of forcing computer system users to frequently update their virus definition data with the new virus definition data in circumstances where this may not be necessary or justified by the severity of the threat being posed. Furthermore, the increasing rate at which new items of malware are being released into the wild is such that responding to all of these by immediately developing new virus definition data would consume a disadvantageous amount of development time and expense.